CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 350 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-2837 | 0.03 | — | 0.00 | Jun 24, 2008 | SQL injection vulnerability in index.php in CMS-BRD allows remote attackers to execute arbitrary SQL commands via the menuclick parameter. | ||
| CVE-2008-2834 | 0.03 | — | 0.00 | Jun 24, 2008 | SQL injection vulnerability in projects.php in Scientific Image DataBase 0.41 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-2816 | 0.03 | — | 0.00 | Jun 23, 2008 | SQL injection vulnerability in post.php in Oxygen (aka O2PHP Bulletin Board) 2.0 allows remote attackers to execute arbitrary SQL commands via the repquote parameter in a reply action, a different vector than CVE-2006-1572. | ||
| CVE-2008-2823 | 0.03 | — | 0.00 | Jun 23, 2008 | SQL injection vulnerability in newsarchive.php in PHPeasyblog (formerly phpeasynews) 1.13 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the post parameter. | ||
| CVE-2008-2817 | 0.03 | — | 0.00 | Jun 23, 2008 | SQL injection vulnerability in albums.php in NiTrO Web Gallery 1.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via the CatId parameter in a show action. | ||
| CVE-2008-2815 | 0.03 | — | 0.00 | Jun 23, 2008 | SQL injection vulnerability in shopping/index.php in MyMarket 1.72 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-2791 | 0.03 | — | 0.00 | Jun 20, 2008 | SQL injection vulnerability in product.detail.php in Kalptaru Infotech Comparison Engine Power Script 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-2796 | 0.03 | — | 0.00 | Jun 20, 2008 | SQL injection vulnerability in index.php in FreeCMS 0.2 allows remote attackers to execute arbitrary SQL commands via the page parameter. | ||
| CVE-2008-2793 | 0.03 | — | 0.00 | Jun 20, 2008 | SQL injection vulnerability in group_posts.php in ClipShare before 3.0.1 allows remote attackers to execute arbitrary SQL commands via the tid parameter. | ||
| CVE-2008-2792 | 0.03 | — | 0.00 | Jun 20, 2008 | SQL injection vulnerability in index.php in eroCMS 1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the site parameter. | ||
| CVE-2008-2790 | 0.03 | — | 0.01 | Jun 20, 2008 | SQL injection vulnerability in detail.php in MountainGrafix easyTrade 2.x allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-2781 | 0.03 | — | 0.00 | Jun 19, 2008 | SQL injection vulnerability in index.php in DZOIC Handshakes 3.5 allows remote attackers to execute arbitrary SQL commands via the fname parameter in a members search action. | ||
| CVE-2008-2778 | 0.03 | — | 0.00 | Jun 19, 2008 | SQL injection vulnerability in inc/class_search.php in the Search System in RevokeBB 1.0 RC11 allows remote attackers to execute arbitrary SQL commands via the search parameter. | ||
| CVE-2008-2774 | 0.03 | — | 0.00 | Jun 19, 2008 | SQL injection vulnerability in item.php in CartKeeper CKGold Shopping Cart 2.5 and 2.7 allows remote attackers to execute arbitrary SQL commands via the category_id parameter, a different vector than CVE-2007-4736. | ||
| CVE-2008-2770 | 0.03 | — | 0.00 | Jun 18, 2008 | SQL injection vulnerability in index.php in MycroCMS 0.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the entry_id parameter. | ||
| CVE-2008-2755 | 0.03 | — | 0.00 | Jun 18, 2008 | SQL injection vulnerability in index.php in JAMM CMS allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-2754 | 0.03 | — | 0.00 | Jun 18, 2008 | SQL injection vulnerability in toplists.php in eFiction 3.0 and 3.4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the list parameter. | ||
| CVE-2008-2753 | 0.03 | — | 0.01 | Jun 18, 2008 | Multiple SQL injection vulnerabilities in Pooya Site Builder (PSB) 6.0 allow remote attackers to execute arbitrary SQL commands via the (1) xslIdn parameter to (a) utils/getXsl.aspx, and the (2) part parameter to (b) getXml.aspx and (c) getXls.aspx in utils/. | ||
| CVE-2008-2746 | 0.03 | — | 0.00 | Jun 17, 2008 | SQL injection vulnerability in login.php in Gryphon gllcTS2 4.2.4 allows remote attackers to execute arbitrary SQL commands via the detail parameter. | ||
| CVE-2008-2701 | 0.03 | — | 0.00 | Jun 13, 2008 | SQL injection vulnerability in the GameQ (com_gameq) component 4.0 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a page action to index.php. |
- CVE-2008-2837Jun 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in CMS-BRD allows remote attackers to execute arbitrary SQL commands via the menuclick parameter.
- CVE-2008-2834Jun 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in projects.php in Scientific Image DataBase 0.41 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-2816Jun 23, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in post.php in Oxygen (aka O2PHP Bulletin Board) 2.0 allows remote attackers to execute arbitrary SQL commands via the repquote parameter in a reply action, a different vector than CVE-2006-1572.
- CVE-2008-2823Jun 23, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in newsarchive.php in PHPeasyblog (formerly phpeasynews) 1.13 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the post parameter.
- CVE-2008-2817Jun 23, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in albums.php in NiTrO Web Gallery 1.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via the CatId parameter in a show action.
- CVE-2008-2815Jun 23, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in shopping/index.php in MyMarket 1.72 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-2791Jun 20, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in product.detail.php in Kalptaru Infotech Comparison Engine Power Script 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-2796Jun 20, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in FreeCMS 0.2 allows remote attackers to execute arbitrary SQL commands via the page parameter.
- CVE-2008-2793Jun 20, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in group_posts.php in ClipShare before 3.0.1 allows remote attackers to execute arbitrary SQL commands via the tid parameter.
- CVE-2008-2792Jun 20, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in eroCMS 1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the site parameter.
- CVE-2008-2790Jun 20, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in detail.php in MountainGrafix easyTrade 2.x allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-2781Jun 19, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in DZOIC Handshakes 3.5 allows remote attackers to execute arbitrary SQL commands via the fname parameter in a members search action.
- CVE-2008-2778Jun 19, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in inc/class_search.php in the Search System in RevokeBB 1.0 RC11 allows remote attackers to execute arbitrary SQL commands via the search parameter.
- CVE-2008-2774Jun 19, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in item.php in CartKeeper CKGold Shopping Cart 2.5 and 2.7 allows remote attackers to execute arbitrary SQL commands via the category_id parameter, a different vector than CVE-2007-4736.
- CVE-2008-2770Jun 18, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in MycroCMS 0.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the entry_id parameter.
- CVE-2008-2755Jun 18, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in JAMM CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-2754Jun 18, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in toplists.php in eFiction 3.0 and 3.4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the list parameter.
- CVE-2008-2753Jun 18, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Pooya Site Builder (PSB) 6.0 allow remote attackers to execute arbitrary SQL commands via the (1) xslIdn parameter to (a) utils/getXsl.aspx, and the (2) part parameter to (b) getXml.aspx and (c) getXls.aspx in utils/.
- CVE-2008-2746Jun 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.php in Gryphon gllcTS2 4.2.4 allows remote attackers to execute arbitrary SQL commands via the detail parameter.
- CVE-2008-2701Jun 13, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the GameQ (com_gameq) component 4.0 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a page action to index.php.